Cloud Storage bucket has Object Versioning enabled
cloudstorage_bucket_versioning_enabled
Cloud Storage buckets with Object Versioning keep prior object generations. The finding indicates whether the bucket's versioning setting is enabled.
Risk
Without Object Versioning, deleted or overwritten objects can't be restored, reducing availability and integrity. Compromised credentials or faulty processes can irreversibly delete or corrupt data, enabling ransomware-style destruction, accidental loss, and weakening forensic reconstruction.
prowler gcp --checks cloudstorage_bucket_versioning_enabled
Recommendation
Enable Object Versioning on buckets holding important data. Pair with lifecycle rules to expire noncurrent versions and control cost. Enforce least privilege for delete/overwrite actions, and add bucket retention policies or object holds for defense-in-depth and auditability.
Remediation
gcloud storage buckets update gs://<BUCKET_NAME> --versioning
- In Google Cloud Console, go to Storage > Buckets and open <BUCKET_NAME>
- Click the Configuration tab, then click Edit
- Set Object versioning to Enabled
- Click Save
Source Code
Resource Type
storage.googleapis.com/Bucket
References
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/gcp/CloudStorage/enable-versioning.html
- https://docs.cloud.google.com/storage/docs/object-versioning
- https://docs.cloud.google.com/storage/docs/using-object-versioning
- https://docs.cloud.google.com/storage/docs/deleting-objects#restoring_noncurrent_versions
- https://docs.cloud.google.com/storage/docs/lifecycle#delete